If this is your first visit, be sure to
check out the Forum Rules by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Re: [Script] [Video] fakeAP_pwn (v0.3)

Hi Just installed #112 and run update. This said updating to #113, when I look in the script it still shows #112 but I presume this is ok and just saved it as version 113.
Everything seems OK except the victim still can't connect to the internet. I get meterpreter session OK.
In previous items there is talk of bind9, is this something I need to do or is the script going to be updated.
P.S Hostpad seems to solve my previous connection problems.
thanks

Re: [Script] [Video] fakeAP_pwn (v0.3)

hi g0tmilk thanks for all the hard work, but I have a problem as in the early days before encoding scheme on the payload it used to get detected, then you used the shikata ......and it evaded AV but now it gets picked up again, so I am wondering if I can append the script to encode using my scheme as its totally undetected as i had to re encode my payloads after posting a video of av evasion and had the scheme smashed all over virus total and rendered it useless. Lesson well learn't not to do that again...I have used multiple encoding again with a twist and used it successfully evading over 20 of the top with heuristics, manually placed it in the server directory over writing yours only sends the stage at the moment but as a payload in itself it works so is there something in the script that could affect this from completion?

Long winded i know but the Fake AP project is pukka and worked a treat before the virus sig got out, now it wont get past AV..

Re: [Script] [Video] fakeAP_pwn (v0.3)

@Everyone,
Sorry for the delay in getting back to you all, I'm currently moving house and haven't got the internet setup yet!

Originally Posted by Casca

Hi, I got the same thing - if you have 2 r8187L based wifi cards you can fix it by:

nano fakeAP_pwn.sh
change mon0 to wlan1 and save - I had a look at the code and it's removing the rtl8187 drivers and replacing them with r8187 automatically, so there is no "mon0" being created.

Might want to issue rmmod r8187 & modprobe rtl8187 after the script runs, or just insert that code near the end to complete the cleanup (the mac80211 autoloads with the rtl8187 so no need to modprobe it.

Thanks for the heads up + Fix! (I'll add it in for my next update.)
I want to *try* automate detecting the monitor interface, removing this problem altogether. However, all my monitor interfaces use monX, so it may not be "perfect"....

Originally Posted by Scamentology

might have a bug with meterpreter while running "true" for extras.

VNC WKV and my own encoded payload worked perfectly with the script until I put the extras value to true.
(it sends the stage then gives a sessions ID then stalls forever)

test comp gives up to 3 popups for the download and starts 2 sessions

I was still able to get a meterpreter session on the side with a different port while the fake AP was connected to my test computer. so its not the connection or meterpreter.

Did I miss if there was wep support for airbase? didn't see it in the script anywhere. I'm afraid to continue with hostapd.

Ver 112
using ath9k
eth0 to an AP without internet access (changed ping google.com to 192.168.1.1 to get around the check by your script)
these are the only alterations to your script.

Hope this is helpful. ver 109 works for my purposes but I will keep trying the new versions

What a fun project!!!

Ive been tweaking & testing extras for another script, so Ill see if the new update fixes this issue.

Thanks for doing all that testing & reports - its a great help!
Odd that when you enable "extras" is stops...Ill see which program(s) is causes it.

After running the latest script, Wicd reports all networks with all having %1 WEP even if they're WPA.-ok I fix this problem by doing the following commands:

Code:

:~# rmmod r8187
:~# modprobe rtl8187

This also fixed my error I was having:
#commented lines 762 - 764 but you can still take a look at the log, to verify.

Now latest version #112 is working perfectly. Except Internet does not work after infection, but everything else is good to go.

ps- is the version 0.7 out yet? i would like to try that AP clone... ;]

Another issue with r8187...Hmmm, Ill check it out for my next release.
Does the internet work in "Normal" mode?
hehe, 0.7 is a "while" off. =P Im trying to fix all theses little bugs before I start on v0.4!

everything connecting to the tap at at0 gets sent to 127.0.0.1, no matter what they type in, plus at0 can have multiple connections...

Very nice, Ill also give this a test as well.

Originally Posted by joker5bb

nice but bind9 is way better to use
but there are somethings you are still missing, like https
also im thinking on how to get multi-client support working, any ideas?

Can I ask why is bin9 better?
Could we not use the config file that fakeAP_pwn creates for apache for https? Or iptables?
You sent me that link a while back about multi-client & php/iptables, would that not do the trick?

Originally Posted by Casca

I installed bind9 and tried your config - you're right, bind9 is way better for this. I'm still looking at the docs, but I think I might have an idea for multi client... gotta play with it a bit.

This is from me not testing it yet, but how is it better?
If you find anything helpful for the multi-client, could you get in touch?

Originally Posted by cseven

g0tmi1k can you add fakeAP_pwn to your google code page so if someone wants to go back a version they can? or is it somewhere that I don't see?

don't know if i messed it up, but it's working again. using gprs-modem via usb (wvdial) at ppp0.

Thanks for reporting, Ill see if I can get a fix for the next release.

Originally Posted by parrotface

Hi Just installed #112 and run update. This said updating to #113, when I look in the script it still shows #112 but I presume this is ok and just saved it as version 113.
Everything seems OK except the victim still can't connect to the internet. I get meterpreter session OK.
In previous items there is talk of bind9, is this something I need to do or is the script going to be updated.
P.S Hostpad seems to solve my previous connection problems.
thanks

Im guessing the script varible version didn't get updated - I wouldn't worry about it.
So when you used hostapd it "works", whereas when you run it with airbase-ng it stops at which point?
Im going to look into bind9 - and see about adding it in to the script (You dont need to worry about it)

Originally Posted by pentest09

hi g0tmilk thanks for all the hard work, but I have a problem as in the early days before encoding scheme on the payload it used to get detected, then you used the shikata ......and it evaded AV but now it gets picked up again, so I am wondering if I can append the script to encode using my scheme as its totally undetected as i had to re encode my payloads after posting a video of av evasion and had the scheme smashed all over virus total and rendered it useless. Lesson well learn't not to do that again...I have used multiple encoding again with a twist and used it successfully evading over 20 of the top with heuristics, manually placed it in the server directory over writing yours only sends the stage at the moment but as a payload in itself it works so is there something in the script that could affect this from completion?

Long winded i know but the Fake AP project is pukka and worked a treat before the virus sig got out, now it wont get past AV..

Great work though once again..

Regards Dee

From the first post:

Bypassing "Problem" programs
* Anti Virus - As of 2010-09-02, you MAY be able to bypass a SOME by uncommenting line 1397 --- BackTrack only.

Does that work for you?
What is your encoding scheme?
Which AV are you using? Which AV is it being detected by?

Re: [Script] [Video] fakeAP_pwn (v0.3)

Encoding is mix multiple but re encoding over 3 times 1.exe then using that as template for the next etc.

Smart Security picks it up and it was the only one that got most if not all of my payloads but all of the other majors didnt even get basic encoding so my aim is to evade eset which i have done again, it picked up yours and my old coding as rozena generic. Only as of middle of last week may i add was running the same encode for over 8 months undetected. So was wondering if i can script the metasploit part of the encoding to fit with my own for the windows update.exe

Thanks for such a quick reply ..
Regards Dee
ps good luck with the move.

I use vmware with snapshots of AVs instead of using Virus total . over 20 or so and evades all

Re: [Script] [Video] fakeAP_pwn (v0.3)

Code:

Can I ask why is bin9 better?
Could we not use the config file that fakeAP_pwn creates for apache for https? Or iptables?
You sent me that link a while back about multi-client & php/iptables, would that not do the trick?

dnsmasq is only a dns forwarder, bind9 is DNS nameserver
bind9 would only be used for non-transparent mode
we can do a simple multi client configuration by using php on the client side, iptables and MAC authentication, but we aslo need something else to gain them access to the internet, we need a metasploit session ID. This could be done by starting a metasploit databse.

Re: [Script] [Video] fakeAP_pwn (v0.3)

Originally Posted by g0tmi1k

Another issue with r8187...Hmmm, Ill check it out for my next release.
Does the internet work in "Normal" mode?
hehe, 0.7 is a "while" off. =P Im trying to fix all theses little bugs before I start on v0.4!

I have a whole new setup now, I'm not on VMware anymore, but when I was, INTERNET on the targets machine didn't work. Now that I'm running HD install I will give it another try and post results.

Wiffy-Auto-Cracker - was the best thing that ever happen to me. :) Wo0oT :)AWUSO36H_500mW_5dBi Antenna

Re: [Script] [Video] fakeAP_pwn (v0.3)

Originally Posted by pentest09

Encoding is mix multiple but re encoding over 3 times 1.exe then using that as template for the next etc.

Smart Security picks it up and it was the only one that got most if not all of my payloads but all of the other majors didnt even get basic encoding so my aim is to evade eset which i have done again, it picked up yours and my old coding as rozena generic. Only as of middle of last week may i add was running the same encode for over 8 months undetected. So was wondering if i can script the metasploit part of the encoding to fit with my own for the windows update.exe

Thanks for such a quick reply ..
Regards Dee
ps good luck with the move.

I use vmware with snapshots of AVs instead of using Virus total . over 20 or so and evades all

Yes, it can be done. On #113, its line 1460, where it creates "Windows-KB183905-x86-ENU.exe". Edit this with your "settings".
It would be great if you could share your settings - tho I do understand there is more chance your payload will be detected....

Originally Posted by joker5bb

dnsmasq is only a dns forwarder, bind9 is DNS nameserver
bind9 would only be used for non-transparent mode
we can do a simple multi client configuration by using php on the client side, iptables and MAC authentication, but we aslo need something else to gain them access to the internet, we need a metasploit session ID. This could be done by starting a metasploit databse.

I've been messing about with dnsmasq, and I've got it working for fakeAP_pwn. (Both non & transparent mode). I'm feeling that it might replface "dhcp3" & "dnsspoof" =p
Haven't got bind9 working right yet. )=
I'm going to try and force on getting rid of a few bugs before starting work on multiple-clients.

Originally Posted by Eatme

I have a whole new setup now, I'm not on VMware anymore, but when I was, INTERNET on the targets machine didn't work. Now that I'm running HD install I will give it another try and post results.

Do you mean, normal? Or when the targets are meant to be be able to surf the internet (after infection with transparent & normal mode?)